Misc Good to Remember for Exam Flashcards
Which certificates do NOT auto-renew?
ACM certificates for imported certs and Route 53 Private zones. All others do
What are the conditions for public ACM certs to auto-renew?
Must be in use and use DNS validation
Where can ACM certs be used for termination?
CloudFront or ALB only. Works with Elastic Beanstalk and API Gateway. EC2 for Nitro Enclaves supports ACM. No EC2, no non-AWS services
With what is ACM private key encrypted?
KMS
What are used to access the private key when attaching ACM certificate to ELB and CloudFront?
Grants
What to do if ACM is not available in your region?
SSL certificates can be stored in IAM Certificate Store as workaround
Use ACM Private Certificate Authority (ACM-PCA) for your own root or intermediate CA and issuing private ACM certs for internal infrastructure and clients
What is Perfect Forward Secrecy?
If key is compromised, adversary cannot decrypt future traffic. To have PFS on ALB, need to add security policies that include ECDHE-* ciphers
Can APIGW cache?
APIGW has optional API caching, can cache an API request at endpoint for default 300sec, max 3600sec
What can systems manager parameter store do?
store confidential parameters (passwords etc) encrypted using your KMS key, called SecureString parameters. EC2 instances accessing such parameters must also have KMS decryption permissions on their IAM role.
What is Systems Manager Run Command
automate common tasks like applying patches, joining instances to Windows domain etc at scale without having to log in to EC2 instances. Also called Simple Systems Manager (SSM). Need to attach IAM role for SSM to all EC2s to manage AND need SSM agent on instances (Amazon AMI has it preinstalled)
Deep packet inspection is NOT offered by any native AWS service
What allows you to check container images for vulnerabilities?
Amazon Elastic Container Registry
How does Elastic Container Service prevent traffic from going to internet?
It offers Endpoint (like S3 Endpoint) for traffic from VPC to go to other AWS services
How to identify API activity in the last 90 days by a specific IAM access key. What for older than 90 days
Use CloudTrail event history. Older > 90 days you can use Athena to query CloudTrail logs from S3
If web servers are behind ALB, no need to keep them in public subnet, can put them in private subnet with SG open to ALB in public subnet only
Can KMS keys created with imported key material be auto-rotated?
KMS keys created with imported key material cannot be auto-rotated so if you need annual rotation, create a new CMK, import new key material into it, and point the key alias to the new CMK so the existing keys can use new CMK
Can CMK aliases be used within policies?
No, This is because the mapping of aliases to keys can be manipulated outside the policy, which would allow for an escalation of privilege. Therefore, key IDs must be used in KMS key policies, IAM policies, and KMS grants.
What to do If Cloudwatch agent deployed on EC2 is unable to deliver logs to Cloudwatch
use aws run command to verify “awslogs” service is running on the instance, and that the permissions used by the agent allow creation of log groups/streams and to put log events
What is required in order to attach a CMK encrypted EBS volume to a new instance?
The IAM user/role policy needs a kms:CreateGrant permission
Which type of logs cannot be sent to Cloudwatch logs?
S3 access logs. DNS query logs, VPC flow logs, Cloudtrail can be sent
When Cognito receives a SAML assertion, it needs to be able to map SAML attributes to user pool attributes. When configuring Cognito to receive SAML assertions from an identity provider, you need ensure that the identity provider is configured to have Cognito as a relying party. API Gateway will need to be able to understand the authorization being passed from Amazon Cognito, which is a configuration step
What are basic Lambda permissions that are required to log to CloudWatch Logs?
CreateLogGroup, CreateLogStream, and PutLogEvents.
What does AWS Config do?
generates an event when the configuration of a resource changes, and maintains historical records of the configuration items of your resources from the time you start the configuration recorder
What to do if you suspect your account is compromised?
Change your AWS account root user password.
Delete or rotate all root and IAM access keys.
Delete any potentially compromised IAM users, and change the password for all other IAM users (don’t delete ALL users).
Delete any resources on your account which you didn’t create
How To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it
you can use CloudTrail log file integrity validation
With the accounts in an AWS Organization, you can create a single CloudTrail trail that covers all accounts
What can be used in combination with Cloudtrail to analyze the API activity in your AWS account?
Athena (not GuardDuty) can be used with CloudTrail to analyze the API activity in your AWS account and have the ability to isolate activity by attributes, such as source IP address and user
How to check for insecure protocols in CloudWatch Events?
Can configure Amazon Inspector as a target for CloudWatch Events. The runtime behavior package checks for insecure protocols like Telnet, FTP, HTTP, IMAP, rlogin etc. Neither the AWS Config restricted-common-ports check or Trusted Advisor will give you this information
What can detect if any of your EC2 instances are exhibiting unusual behavior, for example if an EC2 instance is trying to connect to multiple ports over a short period of time, then it might be engaged in a possible port scan attack
GuardDuty
What enables continuous monitoring of your AWS resources. If it finds a policy violation, it can trigger a CloudWatch Event to trigger a Lambda to corrects the S3 bucket ACL, or notify you via SNS
AWS Config
What can be used to to define your ideal configuration settings and monitor continuously
Use AWS Config rules. If a configuration change makes a resource non-compliant, Config will flag the rule and trigger a CW event to trigger Lambda to notify/remediate
What do you need to do when using NACLs for an HTTP connection to be successful?
you need to allow port 80 inbound and allow the ephemeral ports outbound (not just 80 outbound)
What uses Machine Learning to detect unusual behavior on your account including unusual API activity and it can be used to report on evidence of compromised instances
GuardDuty
What is difference between GuardDuty and CloudTrail?
Guardduty: detect unusual behavior on your account including unusual API activity and it can be used to report on evidence of compromised instances
Cloudtrail: only logs API calls but it does not know if they are maliciosus or not
How to perform a security assessment on all EC2 instances to find vulns and best practice deviations?
Inspector + System manager is a better solution than Trusted Advisor + Config. Inspector will identify vulnerabilities, weaknesses, as well as departures from established best practices.
Systems Manager can be used to automate the installation of Inspector agents on hundreds of EC2 instances, thereby mitigating time-critical operations. TA provides checks, such as open ports in security groups, and service limits, but does not perform EC2 security assessments
How can each API call be required to need MFA?
By adding MFA requirement in IAM policy that is used to make that call
Difference between public and private AMIs to login?
Public always need a key pair to login
Private can choose other means to login
Who can create CloudFront key pairs?
Rot account only, not IAM users
How are X509 certificates used in EC2?
AWS can generate X509 certs, or you create it and attach to IAM or upload to EC2
Can EBS volumes be accessed by other accounts?
No. You can create snapshots and share those though
What should be provided for auto scaling instances?
permissions should be listed in IAM role so that new instances get it on creation, stored in Instance metadata
What does Enabling Server Order Preference on ELB allow?
allows ELB to pick which cipher set to use for SSL rather than client. ELB supports Perfect Forward Secrecy
S3 ACL gives access by account level, not user level, to specific objects
What is the thing about S3 encryption?
The objects are encrypted, its metadata is not encrypted
What are Glacier upload limits?
Single limit is 4GB, multipart is 40kGB
What is storage gateway?
Uploads contents to S3 as EBS snapshot format
What does using EFS in VPC require?
Creating one mount target per AZ
How is EFS data replicated?
EFS data is synchronously replicated to multiple AZ on write
Access of root users is not bounded by IAM policies.